From f81ba12aa5094d2bc8148cceca76101a7c55d642 Mon Sep 17 00:00:00 2001
From: Paul Gabriel <pgabriel@37signals.com>
Date: Mon, 20 Feb 2023 16:49:47 +0100
Subject: [PATCH] fix(escape): Escape double quotes and all other characters
 reliably

---
 lib/mrsk/configuration/role.rb  | 2 +-
 lib/mrsk/utils.rb               | 6 +++++-
 test/configuration/role_test.rb | 4 ++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/mrsk/configuration/role.rb b/lib/mrsk/configuration/role.rb
index 19a3cabd..628299c0 100644
--- a/lib/mrsk/configuration/role.rb
+++ b/lib/mrsk/configuration/role.rb
@@ -58,7 +58,7 @@ class Mrsk::Configuration::Role
     def traefik_labels
       if running_traefik?
         {
-          "traefik.http.routers.#{config.service}.rule" => 'PathPrefix(\`/\`)',
+          "traefik.http.routers.#{config.service}.rule" => "PathPrefix(`/`)",
           "traefik.http.services.#{config.service}.loadbalancer.healthcheck.path" => config.healthcheck["path"],
           "traefik.http.services.#{config.service}.loadbalancer.healthcheck.interval" => "1s",
           "traefik.http.middlewares.#{config.service}.retry.attempts" => "3",
diff --git a/lib/mrsk/utils.rb b/lib/mrsk/utils.rb
index 5bf1dc94..7aa58a4f 100644
--- a/lib/mrsk/utils.rb
+++ b/lib/mrsk/utils.rb
@@ -5,7 +5,7 @@ module Mrsk::Utils
   def argumentize(argument, attributes, redacted: false)
     Array(attributes).flat_map do |k, v|
       if v.present?
-        [ argument, redacted ? redact("#{k}=\"#{v}\"") : "#{k}=\"#{v}\"" ]
+        [ argument, redacted ? redact("#{k}=#{escape_bash_string v.to_s}") : "#{k}=#{escape_bash_string v.to_s}" ]
       else
         [ argument, k ]
       end
@@ -26,4 +26,8 @@ module Mrsk::Utils
   def redact(arg) # Used in execute_command to hide redact() args a user passes in
     arg.to_s.extend(SSHKit::Redaction) # to_s due to our inability to extend Integer, etc
   end
+
+  def escape_bash_string(string)
+    string.dump.gsub(/`/, '\\\\`')
+  end
 end
diff --git a/test/configuration/role_test.rb b/test/configuration/role_test.rb
index f462d30a..b1916a52 100644
--- a/test/configuration/role_test.rb
+++ b/test/configuration/role_test.rb
@@ -95,9 +95,9 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
     }
 
     ENV["REDIS_PASSWORD"] = "secret456"
-    ENV["DB_PASSWORD"] = "secret123"
+    ENV["DB_PASSWORD"] = "secret&\"123"
 
-    assert_equal ["-e", "REDIS_PASSWORD=\"secret456\"", "-e", "DB_PASSWORD=\"secret123\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
+    assert_equal ["-e", "REDIS_PASSWORD=\"secret456\"", "-e", "DB_PASSWORD=\"secret&\\\"123\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
   ensure
     ENV["REDIS_PASSWORD"] = nil
     ENV["DB_PASSWORD"] = nil